Using 802.1X to control physical access to LANs

Network security would be so much easier if you could control which physical computers were allowed to join your network. It would mean a hacker would have to gain physical access to a particular computer before they could even start to attack your network. One technology used to control admission of computers into a network is 802.1X, a port-based access control. It is mainly used on wireless networks but is increasing in popularity as an access control method on wired networks too.

802.1X features MAC address filtering. Any machine whose MAC address on the network adapter does not match an entry in the account database is not permitted access to the network. Unfortunately, like IP addresses, MAC addresses can be spoofed. This creates the possibility of a man-in-the-middle attack, albeit a sophisticated one. To prevent this type of attack, 802.1X should be combined with the Extensible Authentication Protocol (EAP) to authenticate the client to the network and the network to the client.

802.1X is one way of preventing entry to your network, but once it authenticates the connection it assumes all traffic over the connection is legitimate. To really solve the problem of rogue machines, each computer needs to protect itself from the other computers on the network.

So, 802.1X should also be used in conjunction with IPSec, which provides end-to-end authentication and encryption between hosts on a network.

Looking ahead to the release of Microsoft Windows Vista/Longhorn, it's understood that they will include Network Access Protection (NAP). This feature will allow you to protect your network from unhealthy computers by enforcing compliance with network health policies. This is similar to Cisco's Network Admission Control (NAC), which isolates and denies network access to non-compliant devices. While NAP and NAC play a different role from 802.1X in controlling network connections, it will certainly go a long way to ensuring trusted computers on the network stay that way.

About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Web Security School and, as a SearchSecurity.com site expert, answers user questions on application and platform security.